After almost 10 million current and former Optus customers have been affected by the recent data breach, there is talk of a potential class action being launched against Optus, either for negligence or breach of privacy.
This may have you wondering – what obligations do businesses have to protect their customers’ privacy?
The Privacy Act 1988 is federal legislation that governs how personal information should be collected, used, stored and disclosed in Australia.
If a business’ annual turnover is more than $3 million it has to comply with the Privacy Act. If a business has an annual turnover of $3 million or less, it is classified as a small business. Only some small business are covered by the Privacy Act, including but not limited to those that ‘trade in personal information’, are health service providers or credit reporting agencies, etc.
The Office of the Australian Information Commissioner has a helpful checklist for small businesses to help them work out if they are covered by the Privacy Act. It is important to know if your business is covered by the Privacy Act because it if is, it means your business has some obligations in relation to protecting the privacy of its customers.
At the end of the Privacy Act is a schedule of 13 Australian Privacy Principles that all businesses covered by the Privacy Act must comply with. For a description of the 13 Privacy Principles, you can read our previous article: Commercial Law – Are you keeping your clients safe?
As detailed in our previous article, there are some other obligations on businesses in relation to their customer’s personal information including but not limited to:
- notifying a person when their personal information has been collected;
- only using a person’s personal information for the purpose specified;
- not using a person’s personal information for direct marketing;
- allowing a person access to their personal information; and
- updating a person’s personal information if it is out of date or inaccurate.
Destroying personal information
One of the issues that has arisen in the Optus breach is that it appears that Optus may have been holding personal information of customers that they no longer needed to hold.
Some of the Privacy Principles require businesses to destroy personal information in certain circumstances. For example, Privacy Principle #4 says that if a business receives unsolicited personal information about a person, they must either destroy or de-identify the information.
Likewise, Privacy Principle #11 says that if a business holds personal information that it no longer needs for any purpose that is allowed under the Privacy Principles, it must destroy or de-identify the information.
Data breach reporting obligations
After Optus found out about their data breach, they notified relevant agencies and individuals of the breach. This was because of a scheme called the Notifiable Data Breach Scheme that requires businesses to notify the Office of the Australian Information Commissioner and affected individuals if:
- there is unauthorised access to personal information; or
- there is unauthorised disclosure of personal information; or
- personal information is lost,
- the above event(s) is likely to result in serious harm to one or more individuals; AND
- the business has not been able to prevent the likely risk of serious harm with remedial action.
If you run a business and want to better understand your obligations under the Privacy Act, don’t hesitate to get in contact with Lynn & Brown Lawyers for expert legal assistance.
About the authors: This article has been co-authored by Chelsea McNeill and Steven Brown. Chelsea is a lawyer that graduated from Murdoch University. Steven is a Perth lawyer and director, and has over 20 years’ experience in legal practice and practices in commercial law, dispute resolution and estate planning.